Google Wallet keeps too much data unencrypted – study

13 Dec 2011

A study from digital forensics and security firm viaForensics found that NFC payment app Google Wallet kept too much data unencrypted, such as transaction history and credit card balances, when it rooted the device.

The app lets users pay for goods and services with NFC-enabled smartphones. Users can add their credit card details on the app and, by swiping their phone over an in-store terminal, they can pay for goods in seconds.

viaForensics conducted a review of the information sent and stored by Google Wallet to see how secure it was with sensitive data. A Google Nexus S was used, along with a CitiBank MasterCard for payments.

After making some purchases with the phone, the researcher rooted it and found an unencrypted database within the Google Wallet app, with transaction histories, the current credit card balance, its expiration data and the card holder’s name.

The study found that while Google Wallet kept full credit card numbers secure, the app did not encrypt “pretty much everything except the first 12 digits of your credit card.” It believes that enough information is stored on the phone which could allow scammers to conduct a social engineering attack against the consumer.

“It has consistently been viaForensics’ position that the largest security risk from apps using NFC do not stem from the core NFC technology but instead the apps that use the technology,” concluded the study.

“In this case, the amount of unencrypted data store by Google Wallet surpasses what we believe most consumers find acceptable.”

American Banker reports that Google released a statement to counter these claims, pointing out that this information is only accessible if the phone is rooted.

"The viaForensics study does not refute the effectiveness of the multiple layers of security built into the Android operating system and Google Wallet," said a Google spokesperson.

"This report focuses on data accessed on a rooted phone, but even in this case, the secure element still protects the payment instruments, including the credit card and card verification value numbers. Android actively protects against malicious programmes that attempt to gain root access without users’ knowledge,” he said.